With the increase in the number of employees working remotely and employees connecting to the corporate network using multiple devices, modern corporate network infrastructures are increasingly becoming more flexible in design, especially in the area of remote connectivity. With this flexibility, security concerns about unauthorized access to the corporate network, traceability of remote users, and maintaining system-wide compliance are emerging
In an attempt to address security concerns, many corporate networks are configured to use Dynamic Host Configuration Protocol (DHCP) for dynamically assigning network addresses, such as internet protocol (IP) addresses, to connected devices. Examples of connected devices within the corporate network may include fixed systems or remote systems. Fixed systems include devices such as desktop computers, servers, and printers. Remote systems include removable, wireless, and mobile devices such as laptops and personal digital assistants (PDAs). An IP address uniquely identifies the connected device (e.g., a client computer, PDA, server, printer, etc.) that is making use of the Internet. The IP address is used to direct data or communications to a particular connected device. For example, the data a web browser retrieves and displays when a user accesses a web site on the Internet is routed to that particular device based on its IP address. One task of a DHCP server is to assist in the problem of getting a functional and unique IP number to a device on the network.
In large networks, a server may not have exact information about a particular connected device until that computer requests the information. A laptop or other portable device is not typically connected continuously to a network. Therefore, such a device only needs an IP address while it is connected to the network. DHCP is a protocol that dynamically allocates information such as IP addresses to allow a device connected to a given network to use a unique IP address while the device is connected. DHCP may also enable host computers on a network to extract network configuration information automatically from one or more servers as they boot. DHCP may simplify the administration of a large network, where registration of every connected device is not feasible, or where some devices are connected only a fraction of the time.
A DHCP server typically requests a device's Media Access Control (MAC) address to uniquely identify it when assigning IP addresses. A MAC address is a six byte long number unique to any device that is connected to a network. While a MAC address uniquely identifies a particular network device, it typically includes no indication of where that particular device is located or who is using the device.
As an example illustrating the use of DHCP, a client computer attempting to connect to a corporate network may search for a DHCP server by broadcasting a message across the network. The message includes a unique identifier, which is typically derived from the client's MAC address. After determining the client's network, a DHCP server selects an available IP address for the client. An offer message is then returned to the client from the DHCP server, which includes information such as the selected IP address and services that can be configured for the client. As more than one server may send information to a given client computer, each server reserves its selected IP address for the client until a determination is made that the client will use the IP address.
If the client computer is sent offers from multiple prospective servers, the client selects the best offer based on the number and type of services offered, and broadcasts a request specifying the IP address of the server that made the best offer. In this manner, other servers that may have reserved and offered IP addresses can cancel the reservations. The selected server then allocates the reserved IP address for the client and sends an acknowledgement to the client. The client can then test the IP address and continue booting to join the network. Typically, an IP address is “leased” to a client computer; thus, it is necessary for the client to request an increase in the lease time at regular intervals. If the renewal request is accepted by the server, the client may continue to use the network for the specified lease period. When the client no longer needs its IP address, it notifies the server that it is releasing the IP address. The IP address is then free for the server to allocate to another client system when a request is made. Accordingly, the server is able to use a smaller pool of IP addresses than would be needed if all clients were assigned a permanent IP address.
A DHCP network is often not concerned about who may connect to a DHCP network, where the user is located, and the configuration of the device connecting to the DHCP network. This can provide flexibility for users of portable devices, who can easily connect their systems to a DHCP network. Unauthorized users may be prevented from accessing a DHCP network by requiring a pre-registered MAC address to access the network. However, a MAC address can easily be forged by an unauthorized user. Additionally, as noted above, it may not be feasible to pre-register all devices on a large network. Typically, a server logs only a small amount of information from a connected portable device, such as a MAC address. Thus, it may only be possible to determine a time span and a switch port in which an unauthorized device is connected to a network.
Another tool used to address security concerns in a corporate networks is a firewall. A firewall is a system designed to prevent unauthorized access to or from a network. Firewalls may be implemented in hardware or software, or in a combination of hardware and software.
A firewall is located at the entry/exit point of the networked system it is intended to protect; thus, the firewall is the initial filter for incoming network traffic and the final processor of outgoing traffic. Firewalls are frequently used to prevent unauthorized Internet users outside of the firewall from accessing networks or hosts inside the firewall. The firewall examines the network traffic and blocks information that does not meet specified security criteria. A number of techniques exist for firewalls to protect networks, which may be used individually or in combination. For example, packet filtering is a common technique where the protocol and address information of each packet of Internet traffic is examined by the firewall. Each packet is then accepted or rejected based on user-defined rules.